The impact of the EU data law on companies producing medical and health devices

The EU Regulation on harmonized principles for fair access to and use of data (the “EU Data Act”) (1) entered into force on 11 January 2024. The EU Data Act introduces new rules on access, use and sharing of data generated through connected products or related services. The Data Act will have a significant impact on businesses around the world, and especially on medical and health device companies.

Subject to specific rules, organizations covered by the EU Data Law will have to comply with their obligations by September 12, 2025. In this article, we take a closer look at the application of the Data Law and the steps you need to take to comply with it.

Who does the EU Data Act apply to?

The EU Data Act applies in particular to producers of ‘connected products’ and providers of ‘connected services’.

“Connected Products” means any device or wearable that obtains, generates or collects data regarding its use or environment and that may transmit such data through an electronic communications service, physical connection or on-device access.(2) This includes connected devices medical and other health-related devices such as monitoring devices, infusion pumps, implanted devices, auto-injectors, diagnostic devices, wearable devices, fitness trackers, ingestible sensors, MRI and X-ray scanners, etc.

“Linked Services” means any digital services associated with the Connected Products. This includes applications or user interfaces provided with the Connected Products.

Providers of “connected products” and “connected services”, regardless of where they are based, must comply with the EU Data Law to the extent that their users are located in the EU. This means that organizations based outside the EU may also be subject to the EU Data Act.

What obligations does the Data Act impose?

In particular, the EU Data Act imposes a number of obligations on ‘data holders’. Data holders are natural or legal persons who have the right or obligation to use and share the data. These are typically manufacturers of Connected Products and/or providers of Connected Services. Medical and health product companies may qualify as data holders.

When applying the Union data act, data holders must in particular:

Provide users with information regarding data generated by the Connected Product or related services and how it is used;(3)
Design Connected Products and Related Services to enable direct and easy access to Connect Product and Related Services data, including appropriate metadata;(4)
Make data, including relevant metadata, available to users, readily or under certain conditions, to a third party designated by users without undue delay and, where appropriate and technically feasible, on a continuous and real-time basis;(5)
Share data, including relevant metadata, with another company; provide fair, reasonable, non-discriminatory and transparent access to such data; and cannot charge excessive fees for it;(6)
Make data, including relevant metadata, available under certain conditions to public sector bodies where there is a unique need to use the data to perform a specific task in the public interest, such as official statistics, mitigation or recovery from a public emergency;(7)
appoint a legal representative in an EU Member State if he is not established in the EU.(8)

These data access obligations apply to “Product Data” and “Related Services Data”. Product Data means data generated by the use of a Connected Product that is retrievable(9). In turn, connected service data refers to data representing the digitization of user actions or events related to a connected product(10). In practice, they include all data generated as a result of the use of the Connected Product or Related Service and cover both personal and non-personal data, including relevant metadata. However, inferred or obtained data are not included.

It is important to emphasize that “Users” within the meaning of the EU Data Protection Act refer to any natural or legal person who owns or leases a Connected Product or uses related services. In the case of medical devices and health products, users may be patients or individuals, as well as healthcare providers.

Remember that access to data may be limited in particular:

Users and Data Holders may contractually restrict or prohibit access to data if it jeopardizes the safety of the product or adversely affects health, safety or security;
Users and Data Holders may agree to implement proportionate technical and organizational measures necessary to maintain the confidentiality of trade secrets.

What compliance steps do medical device and device companies need to take?

The EU data law will have far-reaching consequences for medical and health product companies operating on the EU market. Indeed, compliance with the new regulation will require changes ranging from the design and development of the connected product and/or related services, to the implementation of procedures and processes, to the development of required disclosures. Therefore, it is extremely important that they start working on compliance with the new regulation immediately.

In particular, healthcare and medical device companies subject to the EU Data Act will have to:

Ensure that their connected products or related services are designed to meet data access obligations;
Draft notice regarding data generated by connected products or related services;
Implement internal procedures and processes to respond to any data access requests;
Identify and document the data that needs to be protected as trade secrets and the necessary measures that need to be implemented to protect it. This involves carrying out a thorough analysis of whether granting access to certain data could affect the confidentiality of their trade secrets, and identifying and implementing proportionate measures to protect such trade secrets, necessary to protect their business models and competitiveness;
Please review their terms and conditions.

What are the risks of not complying with the EU Data Act?

Penalties for breaches of the EU Data Law will be determined at national level by each EU Member State.(11) EU Member States are obliged to notify the European Commission by 12 September 2025 of the provisions they have implemented in this area.(12)

Breaches of data sharing obligations may be punished by administrative penalties provided for in the EU General Data Protection Regulation (GDPR), namely administrative penalties of up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the organization that commits such a breach. (13)

Application

The EU Data Act will apply from September 12, 2025. Given the next steps that will be required to comply with the EU Data Act, it would be good for medical and health product companies to start assessing what they will need to do to meet the requirements with this. By starting the compliance process early, they can reduce potential liabilities and ensure compliance with the EU Data Act in an appropriate and timely manner.

(1) Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act).

(3) Article 3(1) 2 and 3 of the EU Data Act.

(4) Article 3(1) 1 of the EU Data Act.

(5) Article 3(1) 2 and art. 4 section 1 of the EU Data Act.

(6) Articles 5 and 8 of the EU Data Act.

(7) Articles 14, 15 and 18 of the EU Data Protection Act.

(8) Article 37 para. 11 of the EU Data Act.

(9) Article 2(1) 15 of the EU Data Act.

(10) Article 2(1) 16 of the EU Data Act.

(11) Article 40(1) 1 of the EU Data Act

(12) Article 40(1) 2 of the EU Data Act

(13) Article 40(1) 4 of the EU Data Act

About the author

Anne-Gabrielle Haie

Partner

Anne-Gabrielle Haie advises clients on a wide range of digital technology issues, with a particular focus on data protection, privacy and cybersecurity. Additionally, she has acquired significant expertise in artificial intelligence and blockchain.

He advises clients on compliance with EU law and risk management. Anne-Gabrielle also has extensive experience advising clients on data privacy and cybersecurity issues related to strategic transactions and commercial negotiations. Additionally, it assists clients in preparing for and responding to data breaches and other security incidents.

Anne-Gabrielle’s practice includes representing clients in enforcement and litigation proceedings before European supervisory authorities and courts.

Her clients include multinational corporations, start-ups and scale-ups across a variety of industries, and she has extensive experience in the life sciences and technology sectors.

About the author

Maria Avramidou

Associate

Maria Avramidou advises clients on privacy, data protection, cybersecurity and digital law issues in general. In particular, it helps clients comply with EU and national data protection and digital regulations, including GDPR, the NIS 2 Directive, the Digital Services Act and the Data Management Act. Additionally, Maria’s expertise includes international laws and regulations relating to data protection, artificial intelligence, data and digital platforms. In addition to developing compliance and awareness programs, he has experience in risk management.

Additionally, Maria has gained extensive experience in advising startups operating in various sectors on compliance with digital regulations and policies, including international transfer of personal data, artificial intelligence and data.

Before joining Steptoe, Maria interned at the European Commission, DG JUST, in the International Affairs and Data Flows Unit.